SecurityRatty: Should We Treat Contractors The Same as Employees?

This is cache of http://riskmanagementinsight.com/riskanalysis/?p=344. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.

Should We Treat Contractors The Same as Employees?

2008-03-26 13:47:43 by Alex in RiskAnalys.is

I recently ran across a post on the Security Catalyst Forums (fun place to go hang out if you don’t already). The subject was:

“Should contractors be ‘less trusted’ than ‘full-time’ employees?”

Well, should they?

The answer, of course, should be “no”. Contractors should be trusted just as much as employees, which is to say, not “trusted” at all.

A QUESTION OF TRUST?

You’re probably already saying in your mind, that the level of trust we afford anyone on the magic-packet-carpet-ride we call a network or system should be a direct inverse correlation to the Probable Impact a malicious actor would cause. More simply put, be more paranoid when there is more at stake. You would be correct, because you’re a risk-thinking individual and this, like every “security” issue we face - is really a question of risk.

A QUESTION OF RISK!

We can look at any population of users for common characteristics and group them together in what we call a “Community”. So lets group those who are employees into a category we’ll call “W-2s” and those who are contractors into a category we’ll call “1099s” (for international readers, those are the types of US gov’t forms you have to fill out to work for a company).

Now we have this distribution of W-2s to consider. We know, that given enough W-2s and enough time - eventually one or more of them will create what we call a Threat Event (Action against an asset). Now we don’t know if they are successful or not yet - and the Threat Event may be intentionally malicious or unintentional/accidental, but people create events and this population will be no different. Similarly, we have a distribution of 1099s. Again, given enough of them, and enough time, there will be some occurance of Threat Events. Whether or not the Threat Event results in an actual Loss Event depends on our ability to resist the force the threat agent applies (in FAIR, Vulnerability).

So what we’re really talking about is what strategies we can apply to reduce the Frequency of Loss Events for our populations (W2, 1099). Now for any threat community, we can do one of three things:

1.) Reduce the Frequency of Contact

This is really either “blocking”, “cordoning”, “obfuscation”, what have you. For W2s and 1099s our ability to reduce Frequency of Contact may be limited.

2.) Reduce the Probability of Action

The Probability of Action is driven by the Threat Agent’s perceived Value, Level of Effort, and Risk (that is, perceived probable frequency and impact of getting caught). One difference that comes to me right away is that “Value” factor may be less for our W2s, as the concept of job security and salary creates a larger competing Value figure the threat will compare against. The utility of that difference will, of course, vary depending on the need/circumstances of the person.

3.) Increase our ability to resist their actions by increasing the strength of our controls (Control Strength).

Prevent, Detect, and Respond, right?

So the question we’ll need to consider comes down to this - are there significant differences in our threat communities that warrant different risk mitigation strategies? I would argue “not generally”. Prevention controls that govern roles, responsibilities and privileges consummate to the level of risk and in accordance with the risk tolerance of the organization should be in place regardless of which paperwork (W2 or 1099) someone signs.

How well you answer that question will depend on the strength of your risk analysis.

–